<%
=begin
apps: etcd
platforms: kubernetes, tanzu-application-catalog
id: enable_security
title: Enable TLS and other security features
category: administration
weight: 10
highlight: 10
=end %>

The following sections describe the options available for improving the security of your etcd deployment.

### Configure RBAC

In order to enable Role-Based Access Control for etcd, set the following parameters:

~~~
auth.rbac.enabled=true
auth.rbac.rootPassword=ETCD_ROOT_PASSWORD
~~~

These parameters create a *root* user with an associate *root* role with access to everything. The remaining users will use the *guest* role and won't have permissions to do anything.

### Configure TLS for server-to-server communications

In order to enable secure transport between peer nodes deploy the helm chart with these options:

~~~
auth.peer.secureTransport=true
auth.peer.useAutoTLS=true
~~~

### Configure certificates for client communication

In order to enable secure transport between client and server, create a secret containing the certificate and key files and the CA used to sign the client certificates. In this case, create the secret and then deploy the chart with these options:

~~~
auth.client.secureTransport=true
auth.client.enableAuthentication=true
auth.client.existingSecret=etcd-client-certs
~~~

Learn more about the [etcd security model](https://etcd.io/) and how to [generate self-signed certificates for etcd](https://coreos.com/os/docs/latest/generate-self-signed-certificates.html).
